ClawHub

Ordercli

Foodora-only CLI for checking past orders and active order status (Deliveroo WIP).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 6.8k · 860 current installs · 879 all-time installs
byPeter Steinberger@steipete
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be a thin CLI for Foodora/Deliveroo. That purpose can legitimately require login/session data and an installed binary. However, the registry metadata at the top-level lists no required binaries, no config paths, and no env vars, yet the SKILL.md and its embedded metadata expect the 'ordercli' binary and suggest Homebrew/Go install methods. This mismatch between declared requirements and the instructions is a coherence problem.
!
Instruction Scope
SKILL.md instructs use of browser-based login, reusing a browser profile path ($HOME/Library/Application Support/ordercli/browser-profile), and importing Chrome cookies from a Chrome profile. Those actions involve reading local browser profiles and cookies (sensitive personal/session data). The instructions also show a Deliveroo bearer token option and password stdin usage. The registry does not declare access to any config paths or secrets, so the instructions widen scope beyond the skill's declared boundaries.
Install Mechanism
The SKILL.md's embedded metadata proposes install via a Homebrew tap (steipete/tap/ordercli) or a Go module from github.com/steipete/ordercli. These are standard distribution channels (lower risk than arbitrary download URLs). The registry, however, lists no install spec while SKILL.md does — the inconsistency should be resolved. You should verify the Homebrew tap and GitHub repo before installing.
!
Credentials
Top-level registry fields declare no required env vars, but SKILL.md mentions a DELIVEROO_BEARER_TOKEN (and optional DELIVEROO_COOKIE) for Deliveroo support. The instructions also imply supplying email/password (via --password-stdin) and importing browser cookies/profiles. Requesting/using tokens, cookies, or browser profiles is sensitive and should be explicitly declared; its absence is a red flag.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. It recommends reusing a browser profile path and allows storing a config (e.g., --config /tmp/ordercli.json), but it does not demand permanent presence or modify other skills. No elevated platform privileges are requested in the registry.
What to consider before installing
Before installing or enabling this skill: (1) Verify the upstream project and Homebrew tap (steipete/ordercli) and review source code on GitHub — the SKILL.md suggests installs come from those sources. (2) Be cautious about supplying browser profiles, Chrome cookies, or bearer tokens — these contain session/auth data that can access your accounts; only use cookie/profile import in a controlled environment or with throwaway accounts. (3) Prefer manual use of the ordercli binary rather than granting an agent automatic access; if you do allow the agent to run it, restrict the agent's file access so it cannot read your actual browser profile directory. (4) If you need Deliveroo support, only provide DELIVEROO_BEARER_TOKEN after reviewing why it's needed. (5) If you are unsure, run ordercli in an isolated VM or container and inspect network activity and stored config files before trusting it with real credentials. The main red flags are the mismatch between declared registry requirements and the SKILL.md instructions (sensitive file/cookie access and an undocumented env var).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970jbd7wh96zwhqbezd8ypbxs7yktyc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛵 Clawdis
Binsordercli

Install

Install ordercli (brew)
Bins: ordercli
brew install steipete/tap/ordercli
Install ordercli (go)
Bins: ordercli
go install github.com/steipete/ordercli/cmd/ordercli@latest

SKILL.md

ordercli

Use ordercli to check past orders and track active order status (Foodora only right now).

Quick start (Foodora)

  • ordercli foodora countries
  • ordercli foodora config set --country AT
  • ordercli foodora login --email you@example.com --password-stdin
  • ordercli foodora orders
  • ordercli foodora history --limit 20
  • ordercli foodora history show <orderCode>

Orders

  • Active list (arrival/status): ordercli foodora orders
  • Watch: ordercli foodora orders --watch
  • Active order detail: ordercli foodora order <orderCode>
  • History detail JSON: ordercli foodora history show <orderCode> --json

Reorder (adds to cart)

  • Preview: ordercli foodora reorder <orderCode>
  • Confirm: ordercli foodora reorder <orderCode> --confirm
  • Address: ordercli foodora reorder <orderCode> --confirm --address-id <id>

Cloudflare / bot protection

  • Browser login: ordercli foodora login --email you@example.com --password-stdin --browser
  • Reuse profile: --browser-profile "$HOME/Library/Application Support/ordercli/browser-profile"
  • Import Chrome cookies: ordercli foodora cookies chrome --profile "Default"

Session import (no password)

  • ordercli foodora session chrome --url https://www.foodora.at/ --profile "Default"
  • ordercli foodora session refresh --client-id android

Deliveroo (WIP, not working yet)

  • Requires DELIVEROO_BEARER_TOKEN (optional DELIVEROO_COOKIE).
  • ordercli deliveroo config set --market uk
  • ordercli deliveroo history

Notes

  • Use --config /tmp/ordercli.json for testing.
  • Confirm before any reorder or cart-changing action.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…